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UTILITY 
H'PATENT APPLICATION 
TRANSMITTAL 



" (Only for new nonprovisional applications under 37 CFR 1 53(b)) 



Attorney Docket No. 



2189-20 LAM 



First Inventor or Application Identifier RONALD C. MULLIN 



We 



DIGITAL SIGNATURES ON A SMARTCARD 



Express Mail Label No. 



EL440665795US 



CM 



APPLICATION ELEMENTS 

See MPEP chapter 600 concerning utility patent application contents 



9 nr^=! 

ADDRESS TO: Assistant Commissioner for Patents ElJ-i = 
Box Patent Application q \ 

Washington, D C 20231 *"3 - 



5H 



1. _X_ Fee Transmittal Form 6. 

(Subrn/t an original, and a duplicate for fee processing) 

2. X Specification [Total Pages 23 ] 7, 

(preferred arrangement set forth below) 

- Descriptive title of the Invention 

- Cross References to Related Applications 

- Statement Regarding Fed sponsored R&D 

- Reference to Microfiche Appendix 

- Background of the Invention 

- Brief Summary of the Invention 

O - Brief Description of the Drawings (if filed) 

"tf - Detailed Description 
=j£= - Claim (s) 

hi - Abstract of the Disclosure 

3. ;2_ Drawing(s) (35 USC) 113) [Total Sheets _7_ ] 
4- :J2L Oath or Declaration [Total Pages _4_ ] 

ftj a- _X_ Newly executed (original or copy) 

f ; b. Copy from a prior application (37 CFR 1 .63(d)) 

(for continuation/divisional with Box 1 7 completed) 
""^4 [Note Box 5 below] 

. i- DELETION OF INVENTORY 

7 Signed statement attached in the prior application, see 37 

r 9 * 8 CFR 1 .63(d)(2) and 1 .33(b). 

5. Incorporation by Reference (useable if Box 4b is checked) 

The entire disclosure of the prior application, from which a copy 
Of the oath or declaration is supplied under Box 4b, is considered 
yi As being part of the disclosure of the accompanying application 
. ^ And is hereby incorporated by reference therein. 



Microfiche Computer Program (Appendix) 

Nucleotide and/or Amino Acid Sequence Submission 

(if applicable, all necessary) 

a Computer Readable Copy 

b. Paper Copy (identical to computer copy) 

c. Statement Verifying identity 



ACCOMPANYING APPLICATION PARTS 



8. 


X 


9. 




10. 




11. 


~x~ 


12. 


X 


13. 


X 


14. 




15. 




16. 


X 



Assignment Papers (cover sheet & document(s)) 
37 CFR 3.73(b) Statement 

(when there is an assignee) Power of Attorney 

English Translation Document (if applicable) 

Information Disclosure Copies of IDS 

Statement (IDS)/PTO-1449 Citations 
Preliminary Amendment 
Return Receipt Postcard (MPEP 503) 
(Should be specifically itemized) 

Small Entity Statement filed in prior application, 

Statement(s) Status still proper and desired 

Certified Copy of Priority Document(s) 

(if foreign priority is claimed) 

Other: Check for $1.004.00 



17. *B a CONTINUING APPLICATION, check appropriate box and supply the requisite information: 

— Continuation Divisional _X_ Continuation-in-part (CIP) of prior application No • 

Pnor application information- Examiner Group/Art Unit 



18. CORRESPONDENCE ADDRESS 



Customer Number or Bar Code Label 



(insert Customer No, or Attach bar code label here) 



_X_ Correspondence address below 



NAME 



LAWRENCE A. MAXHAM 



BAKER & MAXHAM 



ADDRESS 



750 B STREET, SUITE 3100 



SYMPHONY TOWERS 



CITY 



SAN DIEGO 



STATE 



CALIFORNIA 



ZIP CODE 



92101 



COUNTRY 



Name (Print/Type) 


LAWRENCE A. MAXHAM 


Registration No. (Attorney/Agent) 


24,483 


Signature ^ 


^^y^€A.j^l^^^e : _ | Date 


5 NOVEMBER 1999 



F:\CLIENT\2189\020\PATENT APPLICATION TRANSMITTAL FORM DOC 



(BM 12/97) 



Practitioner's Docket No. 2189-20 



PATENT 



Preliminary Classification: 

Proposed Class: 380 
Subclass. 25 



NOTE "All applicants are requested to include a preliminary classification on newly filed patent applications The preliminary classification, 
preferably class and subclass designations, should be identified in the upper right-hand corner of the letter of transmittal accompanying 
the application papers, for example 'Proposed Class 2, subclass 129"' MPEP § 601 7 k ed 



IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



Box Patent Application 

Assistant Commissioner for Patents 

Washington, D.C. 20231 



NEW APPLICATION TRANSMITTAL 

Transmitted herewith for filing is the patent application of 

inventor(s): Ronald C. Mulhn, Scott A. Vanstone, Robert J. Lambert, Robert Gallant 

WARNING: 37CFR § 1 41(a)(1) points out 

"(a) A patent is applied for in the name or names of the actual inventor or inventors 

"(1) The inventorship of a nonproviswnal application is that inventorship set forth in the oath or declaration as prescribed by § 
1 63, except as provided for in § J 53(d)(4) and § 1 63(d) If an oath or declaration as prescribed by § 1 63 is not filed during the 
pendency of a nonproviswnal application, the inventorship is that inventorship set forth in the application papers filed pursuant to 
§ 1 53(b), unless a petition under this paragraph accompanyied by the fee set forth in § 1 17 (i) is filed supplying or changing the 
name or names of the inventor or inventors " 

For (title): DIGITAL SIGNATURES ON A SMARTCARD 



CERTIFICATION UNDER 37 C.F.R. § 1.10* 
(Express Mail label number is mandatory) 
(Express Mail certification is optional) 



I hereby certify that this New Application Transmittal and the documents referred to as attached therein are being deposited with the 
United States Postal Service on this date 5 November 1999, m an envelope as "Express Mail Post Office to Addressee", mailing Label 
Number EL440665795US addressed to the Box Patent Application, Assistant Commissioner for Patents, Washington, D C 20231 



WARNING: 



John Dorsev 

(type or print name of person certifying) 




Stature of person mailinjppaper 



Certificate of mailing (first class) or facsimile transmission procedures of 37 C FR § 1 8 cannot (e Jed to obtain a date of 
mailing or transmission for this correspondence 



WARNING: 



Each paper or fee filed by "Express Mail " must have the number of the "Express Mad " mailing label placed thereon prior to mailing 37 
CFR§ 110(b) 

"Since the filing of correspondence under § 1 10 without the Express Mail mailing label thereon is an oversight that can be avoided by 
the exercise of reasonable care, requests for waiver of this requirement will not be granted on petition " Notice of Oct M }996 60 Fed 
Reg 56,439, at 56,442 
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1. Type of Application 

This new application is for a(n): 

X Original (nonprovisional) 
□ Design 
□ Plant 



(check one applicable item below) 



WARNING: Do not use this transmittal for a completion in the U.S. of an International Application under 35USC. § 371(c)(4), unless the 
International Application is being filed as a divisional, continuation or continuation-in-part application 

WARNING: Do not use this transmittal for the filing of a provisional application. 

NOTE: If one of the following 3 items apply, then complete and attach ADDED PAGES FOR NEW APPLICATION TRANSMITTAL WHERE 
BENEFIT OF A PRIOR U.S. APPLICATION CLAIMED and a NOTIFICATION IN PARENT APPLICATION OF THE FILING OF 
THIS CONTINUATION APPLICATION 

a Divisional; 

□ Continuation; 

X Continuation-in-part (C-I-P). 

2. Benefit of Prior U.S. Application(s) (35 U.S.C. §§ 119(e), 120, or 121) 

NOTE A nonprovisional application may claim an invention disclosed in one or more prior filed copending nonprovisional applications or 
copending international applications designating the United States of America In order for a nonprovisional application to claim 
the benefit of a prior filed copending nonprovisional application or copending international application designating the United 
States of America, each prior application must name as an inventor at least one inventor named in the later filed nonprovisional 
application and disclose the named inventor's invention claimed in at least one claim of the later filed nonprovisional application in 
the manner provided by the first paragraph of 35 U SC. §112 Each prior application must also be 

(i) An international application entitled to a filing date in accordance with PCT Article 11 and designating the United States of 
America; or 

(u) Complete as set forth in § 1 51(b), or 

(m) Entitled to a filing date as set forth in § 1 53(b) or § 1 53(d) and include the basic filing fee set forth in § 1.16; or 

(iv) Entitled to a filing date as set forth in § 1 53(b) and have paid therein the processing and retention fee set forth in § 1.21(1) 
within the time period set forth in § 1 53(f) 



NOTE- 



37CF.R § 1.78(a)(1). 

If the new application being transmitted is a divisional, continuation or a continuation-in-part of a parent case, or where the 
parent case is an International Application which designated the US, or benefit of a prior provisional application is claimed, 
then check the following item and complete and attach ADDED PAGES FOR NEW APPLICATION TRANSMITTAL WHERE 
BENEFIT OF PRIOR US. APPLICATIONS) CLAIMED. 



WARNING: 



If an application claims the benefit of the filing date of an earlier filed application under 35 US C §§ 120, 121 or 365(c), the 
20-year term of that application will be based upon the filing date of the earliest U.S. application that the application makes 
reference to under 35 US. C § 120, 121 or 365(c), (365 US C. § 154(a)(2) does not take into account, for the determination of 
the patent term, any application on which priority is claimed under 35 USC §§ 119, 365(a) or 365(b) ) For a c-i-p 
application, applicant should review whether any claim in the patent that will issue is supported by an earlier application and, 
if not, the applicant should consider canceling the reference to the earlier filed application The term of a patent is not based 
on a claim-by-claim approach. See Notice of April 14, 1995, 60 Fed. Reg 20,195, at 20,205. 
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WARNING: When the last day of pendency of a provisional application falls on a Saturday, Sunday, or Federal holiday within the 
District of Columbia, any nonprovisional application claiming benefit of the provisional application must be fled prior 
to the Saturday, Sunday, or Federal holiday within the District of Columbia See 37 C F R § J 78(a)(3) 



X The new application being transmitted claims the benefit of pnor U.S. application^). 
Enclosed are ADDED PAGES FOR NEW APPLICATION TRANSMITTAL WHERE 
BENEFIT OF PRIOR U.S. APPLICATION(S) CLAIMED. 

3. Papers Enclosed 

A. Required for filing date under 37 C.F.R. § 1 .53(b) (Regular) or 37 C.F.R. § 1.153 (Design) 
Application 

1 5 Pages of specification 
7 Pages of claims 
7 Sheets of drawing 

WARNING DO NOT submit original drawings A high quality copy of the drawings should be supplied when filing a patent 
application The drawings that are submitted to the Office must be on strong, white, smooth, and non-shiny paper and 
meet the standards according to § 1 84 If corrections to the drawings are necessary, they should be made to the original 
drawing and a high-quality copy of the corrected original drawing then submitted to the Office Only one copy is 
required or desired For comments on proposed then -new 37 C F R § 1 84, see Notice of March 9, 1 988 ( 1 990 O G 
57-62) 

NOTE. "identifying indicia, if provided, should include the application number or the title of the invention, inventor's name, docket 
number (if an y), and the name and telephone number of a person to call if the Office is unable to match the drawings to the 
proper application. This information should be placed on the back of each sheet of drawing a minimum distance of 1 5 cm (5/8 
inch) down from the top of the page " 37 CFR § I 84(c) ) 

(complete the following, if applicable) 

a The enclosed drawmg(s) are photograph (s), and there is also attached a "PETITION TO 
ACCEPT PHOTOGRAPH(S) AS DRAWING(S)." 37 C.F.R. § 1.84(b). 

X formal - Figs. 1 - 6 

X informal - Figs. 7-9 

B. Other Papers Enclosed 

4 Pages of declaration and power of attorney 

1 Pages of abstract 

Other 

4. Additional Papers Enclosed 

X Amendment to claims 

X Cancel in this application 1-12 before calculating the filing fee. (At least one original 
independent claim must be retained for filing purposes.) 

□ Add the claims shown on the attached amendment. (Claims added have been numbered 
consecutively following the highest numbered original claims). 

X Preliminary Amendment 

X Information Disclosure Statement (37 C.F.R. § 1 .98) 
X Form PTO-1449 (PTO/SB/08A and 08B) 
□ Citations 
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d Declaration of Biological Deposit 



□ Submission of "Sequence Listing," computer readable copy and/or amendment pertaining 
thereto for biotechnology invention containing nucleotide and/or amino acid sequence 

□ Authorization of Attorney(s) to Accept and Follow Instructions from Representative. 

□ Special Comments 

□ Other 



5. Declaration or oath (including power of attorney) 



NOTE: A newly executed declaration is not required in a continuation or divisional application provided that the prior non-provisional 
application contained a declaration as required, the application being filed is by all or fewer than all the inventors named in 
the prior application, there is no new matter in the application being filed, and a copy of the executed declaration filed in the 
prior application (showing the signature or an indication thereon that it was signed) is submitted. The copy must be 
accompanied by a statement requesting deletion of the names of person(s) who are not inventors of the application being filed 
If the declaration in the prior application was filed under § I 47, then a copy of that declaration must be filed accompanied by a 
copy of the decision granting § 1.47, then a copy of that declaration must be filed accompanied by a copy of the decision 
granting § 1 47 status or, if a nonsigning person under § 1.47 has subsequently joined in a prior application, then a copy of the 
subsequently executed declaration must be filed See37CFR §§ 1.63(d) (1 )-(3 ) 

NOTE A declaration to complete an application must be executed, identify the specification to which it is directed, identify each 
inventor by full name including family name and at least one given name, without abbreviation together with any other give 
name or initial, and the residence, post office address and country or citizenship of each inventor, and state whether the 
inventor is a sole or joint inventor 37 C.F.R § 1 63(a)(l)-(4) 



X Enclosed 
Executed by 

(check all applicable boxes) 



X inventor(s) 

□ legal representative of inventor(s) 
37 C.F.R. §§ 1.42 or 1.43. 

n joint inventor or person showing a proprietary 
interest on behalf of inventor who refused to sign 
or cannot be reached. 

□ This is the petition required by 37 C.F.R. § 1 .47 and the statement required by 37 
C.F.R. § 1.47 is also attached. See item 13 below for fee. 

□ Not Enclosed. 

NOTE. Where the filing is a completion in the U.S. of an International Application or where the completion of the US application contains 
subject matter in addition to the International Application, the application may be treated as a continuation or continuation-in-part, 
as the case may be, utilizing ADDED PAGE FOR NEW APPLICATION TRANSMITTAL WHERE BENEFIT OF PRIOR U.S. 
APPLICATION CLAIMED. 

□ Application is made by a person authorized under 37 C.F.R. § 1.41(c) on behalf of all the above 
named inventor(s). 
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(The declaration or oath, along with the surcharge required by 37 C.F.R. L 16(e) 
can be filed subsequently) 

□ Showing that the filing is authorized 

(not required unless called question. 37 C.F.R. § 1.41(d)) 

6. Inventorship Statement 

WARNING If the named inventors are each not the inventors of all the claims an explanation, including the ownership of the various 
claims at the time the last claimed invention was made, should be submitted 

The inventorship for all the claims in this application are: 
□ The same 

or 

X Not the same. An explanation, including the ownership of the various claims at the time the 
last claimed invention was made, 

X is submitted 

□ will be submitted 



7. Language 



NOTE An application including a signed oath or declaration may be filed in a language other than English An English translation of the 
non-English language application and the processing fee of $130 00 required by 37 C F R § 1 17(k) is required to be filed with the 
application, or within such time as may be set by the Office 37 C FR § I 52(d) 

X English 

□ Non-English 

□ The attached translation includes a statement that the translation is accurate. 37 
C.F.R. § 1.52(d) 



8. Assignment 

X An assignment of the invention to Certicom Corp. 



X is attached. A separate X "COVER SHEET FOR ASSIGNMENT (DOCUMENT) 
ACCOMPANYING NEW PATENT APPLICATION" or X FORM PTO-1595 is 
also attached. 

□ will follow. 

NOTE. "If an assignment is submitted with a new application, send two separate letters -one for the application and one for the 
assignment " Notice of May 4, 1 '990 (1114 0G 77-78) 

WARNING A newly executed "CERTIFICA TAE UNDER 37CFR §3 73(B) " must be filed when a continuation-in-part 
application is filed by an assignee Notice of April 30, J 993, 1150OG 62-64 
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9. Certified Copy 

Certified copy(ies) of apphcation(s) 



Country 


Appln No. 


Filed 


Country 


Anrtln IMn 


Filed 


Country 


Appln No. 


Filed 


from which priority is claimed. 






□ is (are) attached. 






□ will follow 






NOTE The foreign application forming the basis for 


the claim for priority must he referred to in the oath or declaration 


37CFR §1 55(a) and I 63 



NOTE This item is for any foreign priority for which the application being filed directly relates If any parent U S application or International Application from which 
this application claims benefit under 35 U S C § 120 is itself entitled to priority from a prior foreign application, then complete item IS on the ADDED 
PAGES FOR NEWAPPLICA TION TRANSMITTAL WHERE BENEFIT OF PRIOR U S APPLICA TION(S) CLAIMED 

10. Fee Calculation (37 C.F.R. § 1.16) 

A. X Regular application 



CLAIMS AS FILED 


Number filed 


Number Extra Rate 


Basic Fee 
37CFR § 1 16(a) 
$760 or S380 


Total Claims 
(37CF.R.§ 1 16(c) 


27-20- 7 XS 18.00= 


126 


Independent Claims 
(37C.F.R § 1.16(b)) 


4-3= 1 X$78 00= 


78 


Multiple dependent 
claim(s), if any 
(37C.F.R § 1 16(d)) 


0 + S260.00 


0 



X An amendment canceling extra claims is enclosed. 

□ An amendment deleting multiple-dependencies is enclosed. 

□ The fee for extra claims is not being paid at this time. 



NOTE If the fees for extra claims are not paid on filing, they must be paid or the claims canceled by amendment, prior to the expiration of the time period 

set for response by the Patent and Trademark Office in any notice of fee deficiency 37 C F R § 1 16(d) 

Filing Fee Calculation $ 964 

B. o Design application 

($310.0(^-37 C.F.R. § 1.16(f)) 

Filing Fee Calculation $ 

C. □ Plant application 

($480.00—37 C.F.R. § 1.16(g) 

Filing Fee Calculation $ 
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11. Small Entity Statement(s) 



□ Statement(s) that this is a filing by a small entity under 37 C.F.R. §§ 1 .9 and 
1.27 is(are) attached. 

WARNING: "Status as a small entity must be specifically established in each application or patent in which the status 
is available and desired. Status as a small entity in one application or patent does not affect any other 
application or patent, including applications or patents which are directly or indirectly dependent upon 
the application or patent in which the status has been established. The refilling of an application under § 
1.53 as a continuation, division, or continuation-in-part (including a continued prosecution application 
under § 1.53(d)), or the filing of a reissue application requires a new determination as to continued 
entitlement to small entity status for the continuing or reissue application. A nonprovisional application 
claiming benefit under 35 U.S. C § 119(e), 120, 121, or 365© of a prior application, or a reissue 
application may rely on a statement filed in the prior application or in the patent if the nonprovisional 
application or the reissue application includes a reference to the statement in the prior application or in 
the patent or includes a copy of the statement in the prior application or in the patent and status as a 
small e ntity is still proper and desired. The payment of the small en tity baasic statutory filing fee will be 
treated as such a reference for purposes of this section. " 37 C.F.R § 1.28(a)(2). 

WARNING: <c Small entity status must not be established when the person or persons signing the . .statement can 
unequivocally make the required self-certification. " M.P.E.P., § 509.03, 7th ed. (emphasis added). 

(complete the following, if applicable) 

□ Status as a small entity was claimed in prior application 

/ , filed on , from which benefit is being 

claimed for this application under: 

35U.S.C. §□ 119(e), 

□ 120, 

□ 121, 

□ 365(c), 

and which status as a small entity is still proper and desired. 

□ A copy of the statement in the prior application is included. 
Filing Fee Calculation (50% of A, B, or C above) $ 

NOTE: Any excess of the full fee paid will be refunded if a small entity statement and a refund request are filed 
within 2 months of the date of timely payment of a full fee. The two-month period is not extendable under 
§1.136. 37 C.F.R § 1.28(a). 
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13. Fee Payment Being Made at This Time 

□ Not Enclosed 

□ No fding fee is to be paid at this time 

(This and the surcharge required by 37 C.F.R. § 1.6(e) can be paid 
subsequently.) 

X Enclosed 

X Filing fee $ 964 

X Recording assignment 

($40.00— 37 C.F.R. § 1.21(h)) 

(See attached "COVER SHEET 

FOR ASSIGNMENT ACCOMPANYING 

NEW APPLICATION.") $ 40 

□ Petition fee for filing by other than all the 

the inventors or person on behalf of the inventor 
where inventor refused to sign or cannot be 
reached 

($130.00—37 C.F.R. §§ 1.47 and 1.1 7(i)) $ 

□ For processing an application with a 
specification in a non-English languague 

($130.00—37 C.F.R. §§ 1.52(d) and 1.1 7(k)) $ 

□ Processing and retention fee 

($130.00—37 C.F.R. §§ 1.53(d) and 1.21(1)) $ 

□ Fee for international-type search report 

($40.00—37 C.F.R. §§ 1.21(e)) $ 

NOTE: 37 C.F.R. § 1.21(1) establishes a fee for processing and retaining any application that is abandoned for 
failing to complete the application pursuant to 37 C.F.R.§ 1.53(f) and this, as well as the changes to 37 
C.F.R. §§ L53 and 1. 78(a)(1), indicate that in order to obtain the benefit of a prior U.S. application, 
either the basic filing fee must be paid, or the processing and retention fee of§ 1.21 (L) must be paid, 
within 12 year from notification under § 53(f). 

Total fees enclosed $_1004 



14. Method of Payment of Fees 

X Check in the amount of $ 1004 



□ Charge Account No. in the amount of $ 

A duplicate of this transmittal is attached. 

NOTE: Fees should be itemized in such a manner that it is clear for which purpose the fees are paid 37CFR 
§U2(b). 
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15. Authorization to Charge Additional Fees 

WARNING: If no fees are to be paid on filing, the following items should not be completed. 

WARNING: Accurately count claims, especially multiple dependent claims, to avoid unexpected high charges, if extra 
claim charges are authorized. 



X The Commissioner is hereby authorized to charge the following additional 
fees by this paper and during the entire pendency of this application to 
Account No. 02-0460 



X 37 C.F.R. § 1.16(a), (f), or (g) (filing fees) 



X 37 C.F.R. § 1.16(b), (c), or (d) (presentation of extra claims) 

NOTE: Because additional fees for excess or multiple dependent claims not paid on filing or on later 

presentation must only be paid or these claims canceled by amendment prior to the expired to the 
expiration of the time period set for response by the P. T. 0. in any notice of fee deficiency (37 C.F.R. § 
1.16(d)). It might be best not to authorize the P. TO. to charge additional claim fees, except possibly 
when dealing with amendments after final action. 

□ 37 C.F.R. § 1.16(e) (surcharge for filing the basic filing fee and/or 
declaration on a date later than the filing date of the application) 

n 37 C.F.R. § 1 . 17(a)(l)-(5) (extension fees pursuant to § 1 .136(a)) 

□ 37 C.F.R. § 1.17 (application processing fees) 

NOTE: . .A written request may be submitted in an application that is an authorization to treat any 

concurrent or future reply, requiring a petition for an extension of time under this paragraph for its 
timely submission, as incorporating a petition for extension of time for the appropriate length of time. 
An authorization to charge all required fees, fees under § 1.17, or all required extension of time fees will 
be treated as a constructive petition for an extension of time in any concurrent or future reply requiring a 
petition for an extension of time under this paragraph for its timely submission. Submission of the fee set 
forth in § 1.17(a) will also be treated as a constructive petition for an extension of time in any concurrent 
reply requiring a petition for an extension of time under this paragraph for its timely submission. "37 
C.F.R. § 1.135(a)(3), 

□ 37 C.F.R. § 1.18 (issue fee at or before mailing of Notice of Allowance, 
pursuant to 37 C.F.R. §1.311 (b)) 

NOTE: Where an authorization to charge the issue fee to a deposit account has been filed before the mailing of a 
Notice of Allowance, the issue fee will be automatically charged to the deposit account at the time of 
mailing the Notice of Allowance. 37 C.F.R. § 1311(b)). 

NOTE: 37 C.F.R. § 1.28(b) requires "Notification of any change in status resulting in loss of entitlement to small 
entity status must be filed in the application . . . prior to paying, or at the time of paying, . . . issue fee. " 
From the wording of 37 C.FR. § 1.28(b), (a) notification of change of status must be made even if the fee 
is paid as "other than a small entity" and (b) no notification is required if the change is to another small 
entity. 
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16. Authorization to Charge Additional Fees 

NOTE. " . .Amounts of twenty-five dollars or less will not be returned unless specifically requested within a 

reasonable time, nor will the payer be notified of such amounts, amounts over twenty-five dollars may be 
returned by check or, if requested, by credit to a deposit account " 37 CFR. § 1 26(a) 

X Credit Account No. 02-0460 



□ Refund 



Date: 5 November 1999 

Reg. No.: 24,483 

Tel. No. (619) 233-9004 





GNATURE OF PRACTITIONER 



Lawrence A. Maxham 
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ADDED PAGES FOR APPLICATION TRANSMITTAL WHERE BENEFIT OF 

PRIOR US. APPLICATIONS) CLAIMED 

NOTE: See 37 C.F.R. § 1.73. 

17. iteiaie Sack 

WARNING: if an application dairrrs the benefit of -he filing date of an earlier filed application under 35 U.S. C. 

§§ 120, 121 or 365(c), the 20-year term of that application will be based upon the filing date of 
the earliest U.S. application that the application makes reference to under 35 U.S.C. §§ 120. 121 
or 365(c). i35 U.S.C. § 154(a)(2) zees net taxa Into account for the oezerminaricn of zfte patent 
rem?, any application on wmcn pnenxy s aaimea under 35 U.S.C. §§ 1 19, 365(a) or 3650).} ?or 
a o-4-o application, applicant shouia ^wew whether any daim in the patent that will issue :s 
supported by an eanier acciication ana, a net, the applicant shouia consider canceling the reference 
to the earlier fifed application. The mm of a patent is not based on a daim-by-ciaim apprcacn. 
See Notice of Acnl 14, 1995, SO Fed. Reg. 20,195, at 20,205. 

{complete the following, if applicable) 

S Amend the specification by Inserting, before the first line, the following sentence: 

X 35 U,S.C. § 119(e) 

NOTE: "Any nonprovisionai apoiication claiming the benefit of one or more prior filed copending provisional 
applications must contain or be amended to contain in the first sentence of the specification following 
the title a reference to each such pnor provisional application, identifying it as a provisional application, 
ana inducing the provisional application number (consisting of series code and serial number). m 37CF.R 
§ 1.78(a)(4). 

□ "This application claims the benefit of U.S. Provisional Application® No(s).: 

APPLICATION NC(S),: RUNG DATE 

/ - 

/ • 

/ - 
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B. 35 U.S.C. §§ 120, 121 and 365(c) 

NOTE: "Except for a continued prosecution appiication fiied unaer § 1.53(d), any nonprovisionai application 
claiming the benefit of one or more pnor filed copending nonprovisionai applications or international 
applications designating the United States of Amenca must contain or be amended to contain in the 
first sentence of the specification following the title a reference to each such prior application, lOentifytng 
it by application number (consisting of the senes code and senal number) or international application 
number and international filing date and indicating the relationship of the applications. . . . Cross- 
references to other related applications mav be made when apprcpnate." (See § 1.14(a)) 37 C F R 
§ 1.78(a)(2). 

X "This application is a 

Z2 continuation 

jX- continuation-in-part 

□ divisional 
of copending appiication(s) 

application number <y8; 632,845 f { \ ec j on 4/16/96 

~ international Appiication fiied on 

— and wnich aesignatec the U.S." 

NOTE: Tne proper reference to a pnor fiied PCT application tnat entered the U.S. national phase is the U.S. 
senal numoer and the filing date of the PCT appiication thai designated the U.S. 

NOTE: (1) Where the application being transmitted adds subject matter to the International Application, then 
the filing can be as a continuation-in-pan or (2) if it is desired to do so for other reasons then the filing 
can be as a continuation. 

NOTE: Tne deadline for entenng the national phase in the U.S. for an international application was clarified 
in tne Notice of April 28, 19S7 (1C7S C.G. 32 tc 46) as follows: 

"Tne Patent and Trademark Office considers tne inxemationa: appiication to be pending untu tne 22nd 
month from the priority date if the United States has been designated and no Demand for International 
Preliminary Examination has been filed prior to the expiration of the 19th month from the priority date 
and until the 32nd month from the prionty date if a Demand for International Preliminary Examination 
which elected the United States of America has been filed prior to the expiration of the 19th month 
from the priority date, provided that a copy of the international application has been communicated 
tc tne Patent and Trademark Office witnin the 20 or 30 month period respectively. If a copy of the 
international application has no: been communicated to the Patent and Trademark Office within the 
20 or 30 month period respectively, the international application becomes abandoned as to tne United 
States 20 o- 30 montns from tne pnority date respectivley. Tnese periods have been placed in tne rules 
as paragraph (h) of§ 1.494 andparagrapn (i) of§ 1.495. A continuing application under 35 U.S.C. 365(c) 
and 120 may be filed anytime during the pendency of the international application. n 

Zj "Tne nonprovisionai application aesignatec above, namely application 

i - , fiied , claims the benefit of 

■J.S. Provisional Appiicationis 1 . nojs,.: 



APPLICATION NOfSs.: FILING DATE 



VVhe^e more than one reference <s maae above, piease combine ai! references 
into one sentence. 



(Added Pages for Application Transmittal Wnere Benefit of Pnor U.S. Applicatton(s) Ciaimed 

[4-1.1]— page 2 of 5) 



18. Relate Back— 35 U.S.C. § 119 Priority Claim for Prior Application 

The prior U.S. appHcation(s), Including any prior international Application designating the 
U.S., identified above in item 178, in turn itseif ciaim(s) foreign priority(ies) as follows: 

Ccuniry Accin. no. Filed on 

The certified copy(ies) has (have) 

□ been filed on , in prior appiicaticn 0 / , which was 

filed on 

□ is (are) attached, 

WARNING: Tne certified cooy of :he pnonty aaoiication that may nave Seen communicated to :he PTO by 
the : ntematicnai Bureau may not ce --3/Vec -zn without any need to file a certified ccpy of tne snonty 
application in the continuing appiicaxion. This is so because the certified ccpy of tne pnonty 
application communicated oy :he International Bureau is placed in a foicer ana is not assignee 
a U.S. serial numoer unless the national stage is entered. Such facers are aisposed of if the navcrai 
stage is not entered. Therefore, sucn certified copies may not be available if neeced sater <n tie 
prosecution of a continuing accticaticn. An alternative wouid be to pnysicaiiy remove ihe encnty 
documents from the facers and transfer xhem to the continuing appiicaticn. Tne resources required 
to request transfer, retrieve the folders, maKe suitaoie record notations, transfer the certified cc&es, 
enter and make a reccra of sucn copies in the Continuing Application are substantial. Accordingly, 
the priority documents in folders of International applications that have not entered the national 
stage may not be relied on. Notice of April 28, 1987 {1079 Q.G. 32 to 46). 

19. Maintenanca of dependency of Prior Application 

NOTE: The PTO fines it useful if a copy of the petition filed in the prion application extending the term for 
response is filed with the papers constituting thet:ftMng of the continuation application. Notice of 
November 5, 1985 (1060 O.G. 27). 

Am □ Extension of time in prior application ; 

(This item must be completed and Ahe- papers filed in the prior application, 

if the period set in the Drier application has run.}; 

Q A> petition,, fee ano response extends the term irr the pending prior appiicaticn 

until 

□ A copy of the petition filed in prior application- is* attached. 
B. □ Conditional Petition for Extension of Time in Prior Application 

(complete this item, if previous item not applicable) 

□ A conditional petition for extension of time is being riled in the pending prior 
appiicaticn. 

□ A copy of 'he conditional petition filed in the prior application is attached. 
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20. Further Inventorship Statement Where Benefit of Prior Application(s) 
Claimed 

(complete applicable item (a), (p) and/or (c) below) 

(a) □ This application discioses and claims only subject matter disclosed in the prior 

application whose particulars are set out above and the inventor(s) in this 
application are 

□ the same. 

□ less tnan those named in tne prior application, it is requested that tne 
following inventor(s) identified for the prior application be deleted: 

(type nametsj of hver.wrfs) to oe deleted) 

(b) S3 This application discloses and claims additional disclosure by amenamen: and 

a new declaration or oath is being filed. With respect to tne prior application, 
the inventor(s) in this application are 

□ the same. 

5P the following additional inventor(s) have been added: 

Robert J>' Lambert and Robert Gallant 

(type name(s) of inventors) to be added) 

(c) The inventorship for all the claims in this application are 

□ the same. 

E not the same. An explanation, including the ownershb of the various claims 
at the time the iast ciaimec invention was made 

£H is submitted. 

□ will be submitted. 

New Figs. 7-9 have been added, together with revelant 
descriptive matter on pages 14 and 15 of the specification. New 
claims 28 - 39 have been addedy necessitating the addition of 
inventors Lambert and Gallant. Ownership of all original and all 
new claims are and have been in the named assignee at all relevant 
times. 
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21 . Abandonment of Prior Application (if applicable) 

□ Please abandon the prior application at a time while the prior application is 
oending, or when the oetiiicn fcr extension of time or to revive In that application 

:s granted, and when trJs acclicaiicn is granted a filing date, so as to make this 
accilcaiicr cccencing witr sa;d crier application. 

NOTE: According to the Nonce cf May 13. >S33 CC3, T?*1GG 6-7), the filing of a continuation or ccntinuation->n- 
part application is a proper response with resDecz to a petition for extension of time or a petition to 
revive and should include the express apanoonment of the prior application conditioned upon The 
granting of the petition and the granting of a filing date to the continuing application. 

22. Petition for Suspension of Prosecution for the Time Necessary to 

File an Amendment 

WAPNING: *Hne claims of a new application may be finally rejected in the first Office action tn :hose situations 
■wiere (A) :ne ~ew application ,s a continuing application of, or a substitute for, an easier application, 
and &} ail me claims of the new application (1) are drawn to the same invention claimed s n ?ne 
earlier application, and *2) wcuid nave oeen properly finally rejected on the grounds of art cf reccrc 
:n :ne next Office action if xney r.ac peen entered in the earlier appiicavon. " SA.P S.P., § ?C6.C7'p), 
7th ed. 

NOTE: Where it is possible that the ciaims on file wril give hse to a first action final for this continuation application 
and for some reason an amendment cannot oe filed promptly (e.g., experimental data is being gathered) 
it may be desirable to file a petition *cr suspension of prosecution for the time necessary. 

(creek the next item, if applicable) 

□ There is provided herewith a Petition To Suspend Prosecution for the Time 
Necessary to Fiie An Amendment (New Application Filed Concurrently) 

23. Small Entity (37 C.F.R. § 1.28(a)) 

□ Applicant has established small entity status by the filing of a statement in parent 

apoiication / or . 

□ A copy of the statement previously filed is included. 

WARNING: See 37 C.F.R. § 1.28(a). 

WARNING: "Small entity status must not be established when the person or persons signing the . . . statement 
can unequivocally make the required self-certification.* M.P.E.P., § 509.03, 7th ed. (emphasis 
added). 

24. NOTIFICATION IN PARENT APPLICATION OF THIS FILING 

£ A notification of the filing cf this 
(cneck one of the following) 

C continuation 

§ continuation-^- oan 

□ divisional 

is being filed in the parent application, from which this application ciaims oriority under 35 
U.S.C. § 120. 
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ATTORNEY DOCKET NO.: 8700001-0205 

IN THE UNITED STATES PATENT & TRADEMARK OFFICE 



In re patent application of: 



RONALD C. MULLIN et al 



Serial No.: 



Group Art Unit: 



Filed: 



Examiner: 



Title: 



Digital Signatures on a Smartcard 



Assistant Commissioner for Patents 



Washington, D.C. 20231 



PRELIMINARY AMENDMENT 



Sir: 

IN THE CLAIMS 

Cancel claims 1 to 12 submitted herewith 

REMARKS 

Claims 1 to 12 correspond in substance to claims 1 to 12 as allowed in the parent 
application 08/632,845 and are removed from consideration. 

In the parent case, the Examiner considered the phrase "in a deterministic but 
unpredictable manner" recited in each independent claims 13 and 21 to be indefinite. The 
Examiner's position appeared to be that the terms "deterministic" and "unpredictable" are 
contradictory and therefore do not satisfy the requirements of 35 U.S.C. 112. To support that 
position the Examiner relied upon the extract from "Primality and Cryptography" by Kranakis, 
where it notes that for a pseudorandom sequence (which is deterministic), an exhaustive search 
could determine the seed from which the sequence was produced. This appears to be the basis 
for suggesting that such a deterministic generation cannot be unpredictable. 
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The Examiner failed to note that the same reference does, however, go on in the next 
sentence to note that such a search would be "of value only if it were computationally feasible " 
(emphasis added). In other words, although theoretically the seed can be obtained, in practice 
there are pseudorandom sequences for which the seed cannot be practically obtained. The 
section cited by the Examiner develops this theme, noting that certain generators are predictable 
and the development of general notions that emerge in subsequent sections include unpredictable 
pseudorandom generators. Given that a pseudorandom generator is deterministic as established 
by the passage relied on by the Examiner, the reference relied upon by the Examiner lends 
support for Applicants' use of the terminology" deterministic but unpredictable manner." In 
other words, this reference itself clearly suggests the existence of a device that operates in an 
"unpredictable but deterministic manner." 

The text "Applied Cryptography" by Bruce Schneier (ISBN 0-471-59756-2), at pages 39 
through 41, discusses pseudorandom sequence generation i.e. in a deterministic manner and the 
concept of unpredictability. A copy of this section, together with face page of the book, is 
attached. From this section it would be noted that pseudorandom generators are deterministic in 
nature but within the general class of pseudorandom generation there are sub-classes that are 
suitable for cryptographic applications. A condition for a cryptographically random sequence is 
not only that it looks random but it must have the additional second property, namely, that it is 
unpredictable. The term "unpredictable" as applied in this art means "it must be 
computationally unfeasible to predict what the next random bit will be, given complete 
knowledge of the algorithms or hardware generating the sequence and all of the previous bits in 
the stream." Thus it may be seen that pseudorandom generators are deterministic, but they are 
also unpredictable if they satisfy the above requirement. 

Quite clearly therefore within the context of cryptography there is a well established 
concept of operating in a deterministic but unpredictable manner and this is readily understood 
by those skilled in the particular art to which the present invention pertains. 

The use of this concept is not restricted to the Schneier publication. Attached is an 
extract from a further publication by Kranakis namely "Theoretical Aspects of the Security of 
Public Key Cryptography" in which, at page 105, he makes reference to two security tests for 
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pseudorandom generators. The first one, the Blum-Mical test, is used to construct unpredictable 
pseudorandom generators. In other words, he is using terminology of a generator that operates in 
an unpredictable and pseudorandom or deterministic manner. Also enclosed is an extract from 
"Pseudorandomness and Crytographic Applications" by Michael Luby. At page 51, at Theorem 
4.1, he defines a pseudorandom (deterministic) generator if and only if the generator is "next-bit 
unpredictable." Again the concepts of a deterministic operation with unpredictability are used. 

It is submitted therefore that independent claims 13 and 21 to satisfy the requirements of 
35 U.S.C. 1 12, second paragraph, in that they utilize language which is readily understood by a 
person skilled in the art to which the present invention pertains. The widespread use of that 
language has been demonstrated from a number of sources including the source relied upon by 
the Examiner and is therefore believed to provide a clear showing that the language of claims 13 
and 21 is allowable. Further consideration to that end is respectfully requested. Claims 14-20 
and 22-27 depend from and serve to further limit and define the invention of the independent 
claims. 

Respectfully submitted, 



Date 



Lawrence A. Maxham 
Attorney for the Applicant 
Registration No. 24,483 



DIGITAL SIGNATURES ON A SMARTCARD 



This application is a continuation-in-part of Application 08/632,845. 

The present invention relates to methods and apparatus for generating digital 

signatures. 

5 It has become widely accepted to conduct transactions, such as financial 

transactions or exchange of documents, electronically. In order to verify the transaction, it is 
also well-known to "sign" the transaction digitally so that the authenticity of the transaction 
can be verified. The signature is performed according to a protocol that utilizes the message, 
i.e. the transaction, and a secret key associated with the party. The recipient can verify the 

10 signature using a public key of the signing party to recover the message and compare it with 
the transmitted message. Any attempt to tamper with the message or to use a key other than 
that of the signing party will result in an incompatibility between the sent message and that 
recovered from the signature or will fail to identify the party correctly and thereby lead to 
rejection of the transaction. 

1 5 The signature must be performed such that the signing party's secret key 

cannot be determined. To avoid the complexity of distributing secret keys, it is convenient to 
utilize a public key encryption scheme in the generation of the signature. Such capabilities 
are available where the transaction is conducted between parties having access to relatively 
large computing resources but it is equally important to facilitate such transactions at an 

20 individual level where more limited computing resources are available. 

Automated teller machines (ATMs) and credit cards are widely used for 
personal transactions and as their use expands, so the need to verify such transactions 
increases. Transaction cards, i.e. credit/debit cards or pass cards are now available with 
limited computing capacity (so-called "Smart Cards") but these do not have sufficient 

25 computing capacity to implement existing digital signature protocols in a commercially 
viable manner. 

As noted above, in order to generate a digital signature, it is necessary to 
utilize a public key encryption scheme. Most public key schemes are based on the Diffie 
Helman Public key protocol and a particularly popular implementation is that known as DSS. 
30 The DSS scheme utilizes the set of integers Zp where p is a large prime. For adequate 
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security, p must be in the order of 512 bits although the resultant signature may be reduced 
mod q, where q divides p-1, and may be in the order of 160 bits. 

The DSS protocol provides a signature composed of two components r, s. The 
protocol requires the selection of a secret random integer k referred to as the session key from 
5 the set of integers (0, 1,2,... q-1), i.e. 

ke{0,l,2,...q-l}. 

The component r is then computed such that 
10 r^ {(3 k modp } mod q 

where p is a generator of q. 
The component s is computed as 

s = [ k" 1 (h(m)) + ar] mod q 
where m is the message to be transmitted, 
1 5 h(m) is a hash of that message, and 

a is the private key of the user. 

The signature associated with the message is then s,r which may be used to 
verify the origin of the message from the public key of the user. 

20 The value p k is computationally difficult for the DSS implementation as the 

exponentiation requires multiple multiplications mod p. This is beyond the capabilities of a 
"Smart Card" in a commercially acceptable time. Although the computation could be 
completed on the associated ATM, this would require the disclosure of the session key k to 
the ATM and therefore render the private key, a, vulnerable. 

25 It has been proposed to precompute p k and store sets of values of r and k on 

the card. The generation of the signature then only requires two 160 bit multiplications and 
signing can be completed within V% second for typical applications. However, the number of 
sets of values stored limits the number of uses of the card before either reloading or 
replacement is required. A problem that exists therefore is how to generate sufficient sets of 

30 values within the storage and/or computing capacity of the card. 



3 



One possibility is to use a smaller value of p but with the DSS scheme this 
will jeopardize the security of the transaction. 

An alternative encryption scheme that provides enhanced security at relatively 
small modulus is that utilizing elliptic curves in the finite field 2 m . A value of m in the order 
5 of 155 provides security comparable to a 512 bit modulus for DSS and therefore offers 
significant benefits in implementation. 

Diffie Helman Public Key encryption utilizes the properties of discrete logs so 
that even if a generator p and the exponentiation |3 k is known, the value of k cannot be 
determined. A similar property exists with elliptic curves where the addition of two points 

10 on a curve produces a third point on the curve. Similarly, multiplying any point on the curve 
by an integer k produces a further point on the curve. However, knowing the starting point 
and the end point does not reveal the value of the integer £ k' which may then be used as a 
session key for encryption. The value kP, where P is an initial known point, is therefore 
equivalent to the exponentiation p\ 

1 5 In order to perform a digital signature on an elliptic curve, it is necessary to 

have available the session key k and a value of kP referred to as a "session pair". Each 
signature utilizes a different session pair k and kP and although the representation of k and kP 
is relatively small compared with DSS implementations, the practical limits for "Smart 
Cards" are in the order of 32 signatures. This is not sufficient for commercial purposes. 

20 One solution for both DSS and elliptic curve implementations is to store pairs 

of signing elements k, kP and combine stored pairs to produce a new session pair. For an 
elliptic curve application, this would yield a possible 500 session pairs from an initial group 
of 32 stored signing elements. The possibilities would be more limited when using DSS 
because of the smaller group of signing elements that could be stored. 

25 In order to compute a new session pair, k and kP, from a pair of stored signing 

elements, it is necessary to add the values of k, e.g. k { + k 2 k and the values of IqP and k 2 P 
to give a new value kP. In an elliptic curve, the addition of two points to provide a third 
point is performed according to set formula such that the addition of a point k 2 P having 
coordinates (x,y) and a point kjP having coordinates (x 2 y 2 ) provides a point k 3 P whose x 

30 coordinate x 3 is given by: 
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This computation may be significantly simplified using the normal basis 
5 representation in a field F2 m , as set out more fully in our PCT Application Serial No. PCT 
/CA/S00452, the contents of which are incorporated herein by reference. However, even 
■ using such advantageous techniques, it is siill necessary to utilize a finite field multiplier and 
provide sufficient space for code to perform the computation. This is not feasible within the 
practical limits of available "Smart" cards. 
10 As noted above, the ATM used in association with the card has sufficient 

computing power to perform the computation but the transfer of the coordinates of kjP and 
k,P from the card to the terminal would jeopardize the integrity of subsequent digital 
signatures as two of the stored signing elements would be known. 

It is therefore an object of the present invention to obviate or mitigate the 
15 above disadvantages and facilitate the preparation of additional pairs of values from a 
previously stored set. 

In general terms, one aspect of the present invention proposes to compute on 
one computing device an initial step in me computation of a coordinate of a point derived 
from a pair of points to inhibit recognition of the individual components, transfer such 
20 information to another computing device remote from said one device, perform at least such 
additional steps in said derivation at such other device to permit the completion of the 
derivation at said one device and transfer the result thereof to said one computing device. 

Preferably, the initial step involves a simple field operation on the two sets of 
coordinates which provides information required in the subsequent steps of the derivation. 
25 Preferably also the additional steps performed at the other device complete the 

derivation. 

In a preferred embodiment, the initial step involves the addition of the x 
coordinates and the addition y coordinates to provide the terms (XjQxJ and (yjQyJ. 

The addition of the coordinates is an XOR operation that can readily be 
30 performed on the card and the results provided to the terminal. ■ 



In this manner, the coordinates (x,y) representing kP in a stored signing 
element are not disclosed as insufficient information is provided even with subsequent uses 
of the card. Accordingly, the x coordinate of up to 500 signatures can be generated from an 
initial set of 32 stored signing elements. 

The new value of k can be computed on the card and to avoid computing the 
inverse k" 1 , alternative known masking techniques can be utilized. 

A further aspect of the present invention provides a method of generating 
additional sets of points from the initial set that may be used individually as a new value of 
kP or in combination to generate still further values of kP. 

According to this aspect of the invention, the curve is an anomalous curve and 
the Frobenius Operator is applied to at least one of the coordinates representing a point in the 
initial set to provide a coordinate of a further point on the elliptic curve. The Frobenius 
Operator 0 provides that for a point (x l9 y x ) on an anomalous curve, then 0 (x u y x ) is a point 
( x i 2 >Yi 2 ) that also lies on the curve. In general, 0 i (x 1 y 1 ) is a point x 2 \ y 2 ' that also lies on the 
curve. For a curve over the field 2 m , there are m Frobenius Operators so for each value of kP 
stored in the initial set, m values of kP may be generated, referred to as "derived" values. 
The new value of k associated with each point can be derived from the initial relationship 
between P and 0P and the initial value of k. 

For a practical implementation where 32 pairs of signing elements are initially 
retained on the card and the curve is over the field 2 155 , utilizing the Frobenius Operator 
provides in the order of 4960 possible derived values and by combining pairs of such derived 
values as above in the order of 10 7 values of kP can be obtained from the initial 32 stored 
signing elements and the corresponding values of k obtained to provide 10 7 session pairs. 

Preferably, the stored values of kP are in a normal basis representation. The 
application Frobenius Operator then simply requires an "i" fold cyclic shift to obtain the 
value for an 0 1 operation. 

According to a further aspect of the invention, there is provided a method of 
generating signature components for use in a digital signature scheme, said signature 
components including private information and a public key derived from said private 
information, said method comprising the steps of storing private information and related 
public key as an element in a set of such information, cycling in a deterministic but 
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unpredictable fashion through said set to select at least one element of said set without 
repetition and utilizing said one element to derive a signature component in said digital 
signature scheme. 

Embodiments of the invention will now be described by way of example only 
with reference to the accompanying drawings, in which 

Figure 1 is a schematic representation of a programmable credit card; 

Figure 2 is a schematic representation of a transaction performed between the 
card and network; 

Figure 3 is a schematic representation of the derivation of a session pair from 
a pair of stored signing elements; 

Figure 4 is a schematic representation of one step in the transmission of 
information shown in Figure 2; 

Figure 5 is a schematic representation of a preferred implementation of the 
derivation of a session pair from two pairs of stored values; and 

Figure 6 is a schematic representation of a selection unit shown in Figure 1 . 

Figure 7 is a schematic representation of a further embodiment of the 
derivation of session pairs from stored values. 
The System 

Referring therefore to Figure 1, a programmable credit card 10 (referred to as 
a 'SMART' card) has an integrated circuit 12 embedded within the body of card 10. 

The integrated circuit includes a logic array 14, an addressable memory 16 
and a communication bus 18. The memory 16 includes a RAM section 20 to store 
information, a pair of cyclic shift registers 22 for temporary storage of information and 
programming code 24 for control of the logic array 14 and communication bus 18. The array 
14 includes an arithmetic unit 26 to provide modular arithmetic operation, e.g. additional and 
multiplication, and a selection unit 28 controlled by the programming code 24. It will be 
appreciated that the description of the card 10 is a schematic and restricted to that necessary 
for explanation of the preferred embodiment of the invention. 

The card 10 is used in conjunction with a terminal 30, for example an 
automated teller machine (ATM), that is connected to a network to allow financial 
transactions to be conducted. The terminal 30 includes a keypad 32 to select options and 



7 



tasks and has computing capabilities to perform the necessary functions in conjunction with 
the card 10. 

Access to the terminal 30 is obtained by inserting card 10 into a reader 34 and 
entering a pass code in a conventional manner. The pass code is verified with the card 10 
5 through communication bus 1 8 and the terminal 30 activated. The keypad 32 is used to 
select a transaction, for example a transfer of funds, between accounts and generate a 
message through the network to give effect to the transactions, and card 10 is used to sign 
that transaction to indicate its authenticity. The signature and message are transmitted over 
the network to the intended recipient and upon receipt and verification, the transaction is 
10 completed. 



The Card 

The RAM section 20 of memory 16 includes digital data string representing a 
private key, a, which remains secret with the owner of the card and a corresponding public 

1 5 key Q-aP where P is the publicly known initial point on the selected curve. The RAM 

section 20 also includes a predetermined set of coordinates of points, kP, on an elliptic curve 
that has been preselected for use in a public key encryption scheme. It is preferred that the 
curve is over a finite field 2 m , conveniently, and by way of example only, 2 155 , and that the 
points kP are represented in normal basis representation. The selected curve should be an 

20 anomalous curve, e.g. a curve that satisfies y 2 + xy = x 3 + 1, and has an order, e. Each point 
kP has an x coordinate and a y coordinate and is thus represented as two 155 digital data 
strings that are stored in the RAM 20. By way of example, it will be assumed that the RAM 
20 contains 32 such points identified generically as kP and individually as koP, kjP . . . k 31 P. 
Similarly, their coordinates (x,y) will be individually designated x 0 y 0 ... x 31 y 31 . 

25 The points kP are precomputed from the chosen parameters of the curve and 

the coordinates of an originating point P. The k-fold addition of point P will provide a 
further point kP on the curve, represented by its coordinates (x,y) and the value of k cannot 
be determined even if the coordinates of points P and kP are known. 

RAM 20 therefore contains the values of k associated with the respective 

30 points kP so that a set of stored signing elements k,kP is available for use in the signing of 
the transaction. 
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Signing 

To sign a message m generated by the transaction, one session pair k,.; kjP is 
required and may be obtained from RAM 20 as set out more fully below. Assuming that 
5 values k J5 k^P have been obtained, the signing protocol requires a signature r,s) where 



r is the data string representing the x-coordinate, Xj reduced mod q (q is 

a preselected publicly known divisor of e, the order of the curve, i.e. 
q/ej;and 

10 s [k _1 (h(m)) + ar] mod q where h(m) is a q-bit hash of the message m 

generated by the transaction. 



In this signature, even though r is known, s contains the secret k and the 
private key, a, and so inhibits the extraction of either. 

1 5 The generation of s requires the inversion of the value k and since k is itself to 

be derived from the stored set of values of k, it is impractical to store corresponding inverted 
values of possible k's. Accordingly, a known masking technique is used to generate 
components r, s 1 and u of a signature. This is done by selecting an integer, c, and computing 
a value u = ck. The value s" 1 = c(h(m) + ar) mod q. 

20 The signature value s can then be obtained by the recipient computing sV = 

k" 1 [h(m) + ar]. 

The signature (r,s\u) can be computed on the card 10 and forwarded by bus 18 
to the terminal 30 for attachment to the message m. 

25 Generation of Session Pair 

As noted above, in order to generate the signature (r,s), it is necessary to have 
for session pair k and kP. Security dictates that each session pair is only used once and it is 
assumed that the number of signing elements stored in RAM 20 is insufficient for 
commercial application. 
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In the preferred embodiment, two techniques are used to generate additional 
session pairs to the stored signing elements. It will be appreciated that each technique may 
be used individually although the combination of the two is preferred. 

5 (i) Frobenius Operator 

The first technique involves the use of the Frobenius Operator to derive 
additional session pairs from the stored signing elements and is shown in Figure 3. The 
Frobenius Operator denoted 0 operates on a point P having coordinates (x,y) on an 

anomalous elliptic curve in the finite field 2 m such that 0'P = (x^y 2 '). Moreover, the point 

10 0T is also on the curve. In the field 2 155 , there are 155 Frobenius Operators so each point kP 
stored in memory 20 may generate 155 points on the curve by application of the Frobenius 
Operators. Thus, for the 32 values of kP stored, there are 4960 possible values of kP 
available by application of the Frobenius Operator. 

To derive the value of 0T, it is simply necessary to load the x and y 

1 5 coordinates of a point kP into respective shift registers 22 and perform an i-fold cyclic shift. 
Because the coordinates (x,y) have a normal basis representation, a cyclic shift in the register 
22 will perform a squaring operation, and an i-fold cyclic shift will raise the value to the 
power 2\ Therefore, after the application of i clock cycles, the registers 22 contain the 
coordinates of 0 ! (kP) which is a point on the curve and may be used in the signing protocol 

20 The 155 possible values of the coordinates (x,y) of 0'(kP) may be obtained by simple cyclic 
shifting. The representations in the registers 22 may then be used to obtain r. 

Where the use of Frobenius Operator provides sufficient values for 
commercial use, only one coordinate is needed to compute the value of r and so only a single 
shift register is needed. However, as will be described below, further session pairs can be 

25 derived if both the coordinates are known and so a pair of registers is provided. 

For each value of 0 ! (kP) 9 it is necessary to obtain the corresponding value of k 
0(P) = AP. A, is a constant that may be evaluated ahead of time and the values of its first m 
powers, A 1 computed. The m values are stored in RAM 20. 
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In general, 0 l (kP) -> A/kP so the value of k associated with 0*(kP) is A'k. 
Since k is stored for each value of kP in RAM 20 and A, 1 is also stored, the new value of k, i.e. 
A ! k, can be computed using the arithmetic unit 26. 

As an alternative, to facilitate efficient computation of A, 1 and avoid excessive 
5 storage, it is possible to precompute specific powers of A, and store them in RAM 20. 

Because m is 155 in the specific example, the possible values of i can be represented as an 
8-bit binary word. The values of A 2 — > A 2? are thus stored in RAM 20 and the value of A, 
represented in binary. The prestored values of A, 2 ' are then retrieved as necessary and 
multiplied mod e by arithmetic unit 26 to provide the value of A 1 . This is then multiplied by k 
1 0 to obtain the new value associated with 0 1 (kP). 

It will be seen therefore that new session pairs k, kP may be derived simply 
and efficiently from the stored signing elements of the initial set. These session pairs may be 
computed in real time, thereby obviating the need to increase storage capacity and their 
computation utilizes simple arithmetic operations that may be implemented in arithmetic unit 
15 26. 

(ii) Combining Pairs 

A further technique, illustrated schematically in Figure 4, to increase the 
number of session pairs of k and kP available, and thereby increase the number of signatures 
20 available from a card, is to combine pairs of stored signing elements to produce a new 

derived value. The addition of two points kjP and k 2 P will produce a third point k 3 P that also 
lies on the curve and may therefore be used for signatures. 

The addition of two points having coordinates (x 1 ,y 1 )(x 2 y 2 ) respectively on a 
curve produces a new point having an x coordinate x 3 where 

25 

x 3 = Vi®v 2 2 © Xi®y.g © x 1 ®x 2 

Xj©X 2 Xj©X 2 

In the finite field 2m, yl®y2 and xl®x2 is an XOR field operation that may 
30 be performed simply in logic array 16. Thus the respective values of Xj ,x 2 and y t ,y 2 are 
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placed in respective ones of registers 22 and XOR'd. The resultant data string is then passed 
over communication bus 16 to the terminal 30. The terminal 30 has sufficient computing 
capacity to perform the inversion, multiplication and summation to produce the value of x 3 . 
This is then returned to register 22 for signature. The potential disclosure of x 3 does not 
5 jeopardize the security of the signature as the relevant portion is disclosed in the transmission 
ofr. 

The value of kj+k 2 is obtained from the arithmetic unit 26 within logic array 
16 to provide a value of k 3 and hence a new session pair k 3 , k 3 P is available for signature. 

It will be appreciated that the value for y 3 has not been computed as the 
1 0 signing value r is derived from x 3 rather than both coordinates. 

It will be noted that the values of Xj and x 2 or y l and y 2 are not transmitted to 
terminal 30 and provided a different pair of points is used for each signature, then the values 
of the coordinates remains undisclosed. 

At the same time, the arithmetic functions performed on the card are relatively 
15 simple and those computationally more difficult are performed on the terminal 30. 

Preferred Implementation of Generatine Session Pairs 

The above technique may of course be used with pairs selected directly from 
the stored signing elements or with the derived values obtained using the Frobenius Operator 
20 as described above. Alternatively, the Frobenius Operator could be applied to the value of kP 
obtained from combining pairs of the stored signing elements to provide m possible values of 
each derived value. 

To ensure security and avoid duplication of session pairs, it is preferred that 
only one of the stored signing elements should have the Frobenius Operator applied, as in the 
25 preferred embodiment illustrated in Figure 5. 

In this arrangement, the coordinates x 1? yj of one of the stored signing elements 
is applied to the registers 22 and cyclically shifted i times to provide 0 kjP. 

The respective coordinates, x 01 ,y 0l5 are XOR'd with the coordinates from 
another of the stored values k 2 P and the summed coordinates transmitted to ATM 30 for 
30 computation of the coordinate x 3 . This is retransmitted to the card 10 for computation of the 
value r. 
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The value of kj is processed by arithmetic unit 26 to provide X l k and added to 
k 2 to provide the new value k 3 for generation of signature component s. In this embodiment, 
from an original set of 32 stored signing elements stored on card 10, it is possible to generate 
in the order of 10 7 session pairs. In practice, a limit of 10 6 is realistic. 

5 

Selection of Pairs Stored Signing Elements 

The above procedure requires a pair of stored signing elements to be used to 
generate each session pair. In order to preserve the integrity of the system, the same set 
cannot be used more than once and the pairs of stored values constituting the set must not be 
1 0 selected in a predictable manner. 

This selection function is performed by the selection unit 28 whose operation 
is shown schematically in Figure 6. 

Selection unit 28 includes a set of counters 40,42,44 whose outputs address 
respective look up tables 46,48,50. The look up tables 46,48,50 map the successive outputs 
15 of the counters to pseudo random output values to provide unpredictability for the selection 
stored signing elements. 

The 32 stored values of k and kP are assigned nominal designations as 
elements in a set 52 ranging from -15 to +15 with one designated go. To ensure that all 
available combinations of stored values are used without repetition, the nominal designations 
20 are grouped in 16 pairs in an ordered array 54 such that the difference (mod 31) in the 

assigned values of a pair uses all the numbers from 1 to 30. go is grouped with 0. This array 
provides a first row of a notional matrix. 

Successive rows 54a,b,c,etc. of the notional matrix are developed by adding 1 
to each assigned designation of the preceding row until 15 rows are developed. In this way a 
25 matrix is developed without repetition of the designations in each cell. By convention co + 1 
= oo. 

Counter 42 will have a full count after 15 increments and counter 40 will have 
a full count after 14 increments. Provided the full count values of counters 40,42 are 
relatively prime and the possible values of the counter 50 to select Frobenius Operator are 
30 relatively large, the output of counters 40,42,44 are mapped through the tables 46,48,50 



13 



respectively to provide values for row and column of the notional matrix and the order i of 
the Frobenius Operator to be applied. 

The output of counter 48 selects a column of the array 54 from which a 
designation associated with a starting pair can be ascertained. In the example of Figure 6, the 
5 output of counter 42 is mapped by table 48 to provide an output of 3, indicating that column 
3 of array 54 should be selected. Similarly, the output of counter 40 is mapped through table 
46 to provide a count of 3 indicating that values in row 3 of the matrix should be used. 

The assigned designations for a particular row are then obtained by adding the 
row value to the values of the starting pair. This gives a new pair of assigned designations 
10 that indicate the locations of elements in set 52. The signing elements are then retrieved from 
the set 52. 

One of those pairs of signing elements is then output to a shift register 22 and 
operated upon by the designated Frobenius Operator 0. The value of the Frobenius 
Operation is obtained from the output of table 50 which maps counter 44. The value 
1 5 obtained from table 5 sets the shift clock associated with register 22 so that the contents of 
the register 22 are cyclically shifted to the Frobenius value 0 indicated by the output of table 
50. 

Accordingly, a new value for kP is obtained. The associated value of k can be 
computed as described above with the arithmetic unit utilizing the output of table 50 to 
20 determine the new value of X. Accordingly, a derived value is obtained. 

The derived value and signing element are then combined as described at (ii) 
above to provide a new session pair k, kP for use in the signing process. 

The use of the counters 40,42 provides input values for the respective tables so 
that the array 54 is accessed in a deterministic but unpredictable fashion. The grouping of the 
25 pairs in the array 54 ensures there is no repetition in the selected elements to maintain the 
integrity of the signature scheme. 

Counter 44 operates upon one of the selected pairs to modify it so that a 
different pair of values is presented for combination on each use, even though multiple access 
may be made to the array 54. 
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The counters 40,42,44 may also be utilized to limit the use of the Smart Card 
if desired so that a forced expiry will occur after a certain number of uses. Given the large 
number of possible signatures, this facility may be desirable. 

Alternative structures to the look up tables 46,48,50 may be utilized, such as a 
5 linear feedback shift register, to achieve a mapped output if preferred. 

Further selection of the session pairs can be obtained by preprocessing of the 
contents of register 52 using one or more of the techniques shown in Figures 7, 8 or 9. 

In its simplest form, as shown in Figure 7, a source row c s' is selected and the 
session pair k s ,k s P read from the register. A function is applied to the session pair, which for 
1 0 example is the Frobenius operation as set out in Figure 3 to provide a new session pair X k s ; 
$ l (k s P). A destination row, d, is then selected in the table 52 and the new session pair 
combined with the contents of that row to generate a new pair of values. The contents of the 
table 52 are thus updated and a selection of pairs may be made for the generation of a new 
session pair as described above. 
1 5 The preprocessing may be repeated a number of times with different source 

rows s, and destinations, d, so that a thorough mixing is obtained. The selection of source 
rows, s, and destinations, d, may be selected deterministically using the counters 40,42. 

Alternatively, where the card 10 does not have adequate computing power or a 
curve other than an anomalous curve is used, an alternative function may be applied to the 
20 selected row. For example, a sign may be applied to the selected row prior to accumulation 
of a destination. 

An alternative embodiment is shown in Figure 8 where multiple source rows 
Sj. . ..s n are used and the selected session pairs combined. Typically two source rows are used 
but more than two can be combined if preferred. In this case the combining may proceed as 
25 shown in Figure 5 and the new value accumulated at the destination row, d, of the register. 
As the x coordinate of the combined point will identify one of the coordinates in the register 
52, it is preferred to perform the computation on the card where feasible. 

The selected session pairs may be modified prior to or subsequent to their addition by 
application of a second function, e.g. signing, (as shown in ghosted outline) to provide 
30 further security in the updating of the register 52. 
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Where a random number generator is incorporated on the card 10, the above 
preprocessing may be used effectively in the production of the cards. Referring to Figure 9, 
an initial set of session pairs is injected into the register 52 of each card 10. A random 
number generator 60 is run for an initial period and its output used to select the source and 
5 destination rows of the register 52. The source row is accumulated with the destination now 
so that the session pair of the set are changed with each iteration. If preferred, a function 
such as a sign or a Frobenius operation may be applied to the selected session pair before 
accumulation. The mixing continues for a further period with the output of generator 60 
being used periodically to select each row. Once the register is considered thoroughly mixed, 

1 0 the session pairs may be selected and combined as described above for Figure 6. As the 
output of each generator 60 will vary from device to device, the sets of session pairs in each 
register 52 will also vary from device to device. Therefore the same initial table may be used 
but different session pairs will be generated. 

In summary, therefore, pairs of signing elements from an initial set of stored 

15 values can be selected in a deterministic and unpredictable manner and one of those elements 
operated upon by the Frobenius Operator to provide additional values for the elements. The 
elements may then be combined to obtain a new session pair with a portion of the 
computation being performed off card but without disclosing the value of the elements. 
Accordingly, an extended group of session pairs is available for signing from a relatively 

20 small group of stored values. 
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We claim: 

1 . A method of generating a digital signature implemented over an elliptic curve 
public key encryption scheme utilizing information maintained secret in one computing 

5 device comprising the steps of 

(i) initiating the computation of a coordinate a point on the elliptic curve 

from a pair of other points on said curve by performing on said one device an initial set of 
sufficient steps in the computation to inhibit recognition of information pertaining to the 
identity of said other points, 
1 0 (ii) transferring to another computing device remote from the one device 

the results of said steps, 

(iii) performing at least such additional steps in said computation at said other 
device to permit the completion of said computation at said one device, and 

(iv) transferring the result of said additional steps to said one device for 
1 5 incorporation in said signature. 

2, A method according to claim 1 wherein said initial steps includes a field 
operation to combine information from each of said other points. 

20 3. A method according to claim 2 wherein said combined information is utilized 

in said additional steps. 

4. A method according to claim 3 wherein said field operation includes the 
summation of the information representing one coordinate of each of said other points and 

25 the summation of the information representing the other coordinate of each of the other 
points. 

5. A method according to claim 1 wherein said additional steps complete said 
computation. 



30 
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6. A method according to claim 4 wherein said information representing the 
summation of said coordinates is transferred from said one device to said other device. 

7. A method according to claim 4 wherein said elliptic curve is over the finite 
5 field 2 m and represents said coordinates in a normal basis in said field. 

8. A method according to claim 7 wherein said additional steps includes 
cyclically shifting said information representing the summation of said coordinates. 

10 9. A method according to claim 1 wherein said computation generates a single 

coordinate of said point, said single coordinates being utilized in said signing. 

1 0. A method of deriving a coordinate of a point on an anomalous elliptic curve 

over the field GF2 m for utilization in a public key encryption scheme implemented on said 
1 5 curve, said method comprising the steps of 

(i) storing a normal basis representation of each of a set of coordinates of 
points on said curve, 

(ii) retrieving said normal basis representation of a coordinate of one of 
said points; 

20 (iii) performing an i-fold cyclic shift on said retrieved normal basis representation 

of said one coordinate, and 

(iv) utilizing the resultant representation as a coordinate of a further point 

on the curve resulting from an i-fold application of the Frobenius Operator to said one point. 

25 1 1 . A method according to claim 10 wherein each of said set of coordinates 

represents a point on the curve that is an integer multiple k, of a starting point P, and the i- 
fold application of the Frobenius Operation to said staring point P produces a new point 0T 
where 0*P = HP, 

said method including the step of determining the integer k' associated with 
30 said further point by computing kX\ 
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12. A method of generating a session pair k,kP for use in a digital signature 
performed on an anomalous elliptic curve in the filed GF2 m where kP is a point on said curve 
resulting from the k fold addition of a starting point P where k is an integer, said method 
comprising the steps of 

5 (i) storing a set of initial values of k and kP, as a normal basis 

representation in the field GF2 m , 

(ii) selecting a coordinate of one of said points kP in said set of initial 

values; 

(iii) performing an i-fold cyclic shift on said coordinate to obtain a normal basis 
1 0 representation of the coordinate after an i-fold application of a Frobenius Operator; 

(iv) selecting the integer k associated with said one of said points; 

(v) computing an integer value Vk where X defines the relationship 
between the start point P and a point 0P and 0 indicates a Frobenius Operation; 

(vi) utilizing the resultant representation of the coordinate and the value X\ 
15 as a session pair in a digital signature r,s where r is derived from the representation of a 

coordinate of a point on the curve and s is derived from the integer value associated with 
such point, the message to be signed and r. 

13. A method of generating signature components for use in a digital signature 
20 scheme, said signature components including private information and a public key derived 

from said private information, said method comprising the steps of storing private 
information and related public key as an element in a set of such elements, cycling in a 
deterministic but unpredictable manner through said set to select at least one element of said 
set without repetition and utilizing said one element to derive a signature component in said 
25 digital signature scheme. 

14. A method according to claim 13 wherein a pair of said elements are selected 
from said set and said pair of elements combined to provide said signature components. 
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15. A method according to claim 14 wherein one of said selected pair of elements 

is operated upon to produce private information and a public key derived from said one 
element prior to combination with the other of said elements. 

5 16. A method according to claim 15 wherein a computation to combine said 

elements is initiated on one computing device and sufficient steps of said computation are 
performed on said one device to inhibit recognition of information in said elements and 
subsequent steps are performed on another computing device after transfer of a partially 
completed computation thereto. 

10 

17. A method according to claim 14 wherein said pairs of elements are selected by 
generating a pair of indices indicating respective locations of said elements in said set. 

18. A method according to claim 17 wherein said indices are obtained from an 
1 5 ordered array arranged to provide each possible combination of indices. 

19. A method according to claim 18 wherein said indices are selected from a 
counter that increments with each signature. 

20 20. A method according to claim 19 wherein output from said counter is modified 

to provide a non-sequential selection of said indices. 

21. A method of generating a digital signature implemented over an elliptic curve 

public key encryption scheme utilizing a session pair k, kP in which k is an integer 

25 maintained secret and kP represents a point on said curve resulting from a k-fold addition of 
starting point P, said method comprising the steps of storing a set of elements each having 
normal basis representation of a value of k and a normal basis representation of a value of kP 
in the field GF2 m , identifying each element of said set for subsequent retrieval, selecting a 
pair of said elements in a deterministic and unpredictable manner and combining said 

30 elements to provide a session pair for use in said digital signature. 
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22. A method according to claim 21 wherein an auxiliary transformation is 
performed on one of said elements selected prior to combination with the other thereof. 

23. A method according to claim 22 wherein said elliptic curve is an anomalous 
curve and said auxiliary transformation is an application of a Frobenius Operator. 

24. A method according to claim 23 wherein said auxiliary transformation 
includes an i-fold cyclic shift on said normal basis representation of said value kP associated 
with said element. 

25. A method according to claim 24 wherein said pairs of elements are selected 
from an ordered grouping of pairs of the identifications of said elements. 

26. A method according to claim 22 wherein combining of said elements includes 
a computation performed in part on one computing device and in part on another computing 
device. 

27. A method according to claim 26 wherein sufficient steps of said computation 
are performed on said one computing device to inhibit identification of either of said 
elements. 

28. A method of generating a set of session pairs for use as a private key and a 
public key respectively in a public key cryptographic scheme, said method comprising the 
steps of establishing a set having a plurality of session pairs, selecting at least one of said 
session pairs, processing said selected session pair by applying a predetermined function 
thereto to generate a new session pair and incorporating said new session pair into said set. 

29. A method according to claim 28 wherein said selection of said one of said 
session pairs is repeated a plurality of times. 
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30. A method according to claim 29 wherein a plurality of session pairs of said set 
is selected and combined to generate said new session pair. 

31. A method according to claim 30 wherein said pairs are selected by a random 
5 number generator. 

32. A method according to claim 31 wherein said selection of a plurality of pairs 
by said random number generator is repeated a plurality of times prior to said pairs being 
used to generate a private and public key pair. 

10 

33. A method according to claim 28 wherein said new session pairs are incorporated by 
accumulating said new session pair with an existing session pair. 

34. A method according to claim 30 wherein an additional function is applied to at least 
1 5 one of said plurality of session pairs prior to combination with the other of said plurality of 

session pairs. 

35. A method according to claim 30 wherein an additional function is applied after 
combination of said plurality session pairs to generate said new session pairs. 

20 

36. A method of generating a set of session pairs for use as a private key and a p7ublic 
key respectively in a public key cryptographic scheme, said method comprising the steps of 
establishing an initial set having a plurality of session pairs, selecting one of said pairs by a 
random selection process, and accumulating said selected pair with a randomly selected pair 

25 of said initial set. 

37. A method according to claim 36 wherein successive selections and accumulations are 
performed on randomly selected ones of said set. 
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38. A method according to claim 37 wherein a function is applied to said selected one of 
said pairs prior to accumulation. 



22 

39. A method according to claim 37 wherein a random number generator is used to 
perform said random selections. 
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Abstract 

A digital signature scheme for a "smart" card utilizes a set of prestored 
5 signing elements and combines pairs of the elements to produce a new session pair. The 
combination of the elements is performed partly on the card and partly on the associated 
transaction device so that the exchange of information between card and device does not 
disclose the identity of the signing elements. The signing elements are selected in a 
deterministic but unpredictable manner so that each pair of elements is used once. Further 
10 signing pairs are generated by implementing the signing over an anomalous elliptic curve 
encryption scheme and applying a Frobenius Operator to the normal basis representation of 
one of the elements. 
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Docket No. 
8700001-0205 



Declaration and Power of Attorney For Patent Application 

English Language Declaration 

As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to my name, 

I believe I am the original, first and sole inventor (if only one name is listed below) or an original, 
first and joint inventor (if plural names are listed below) of the subject matter which is claimed and for 
which a patent is sought on the invention entitled 

Digital Signatures on a Smartcard 

Continuation of U.S. Patent Application 08/632,845 

the specification of which 

(check one) 

IS is attached hereto. 

□ was filed on as United States Application No. or PCT International 

Application Number 

and was amended on 

(if applicable) 

I hereby state that I have reviewed and understand the contents of the above identified specification, 
including the claims, as amended by any amendment referred to above. 

I acknowledge the duty to disclose to the United States Patent and Trademark Office all information 
known to me to be material to patentability as defined in Title 37, Code of Federal Regulations, 
Section 1.56. 

I hereby claim foreign priority benefits under Title 35, United States Code, Section 119(a)-(d) or 
Section 365(b) of any foreign application(s) for patent or inventor's certificate, or Section 365(a) of 
any PCT International application which designated at least one country other than the United States, 
listed below and have also identified below, by checking the box, any foreign application for patent or 
inventor's certificate or PCT International application having a filing date before that of the application 
on which priority is claimed. 

Prior Foreign Application(s) Priority Not Claimed 



□ 

(Number) (Country) (Day/Month/Year Filed) 

□ 

(Number) (Country) (Day/Month/Year Filed) 

□ 

(Number) (Country) (Day/Month/Year Filed) 
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I hereby claim the benefit under 35 U.S.C. Section 119(e) of any United States provisional 
application(s) listed below: 



(Application Serial No.) 


(Filing Date) 


(Application Serial No.) 


(Filing Date) 


(Application Serial No.) 


(Filing Date) 



I hereby claim the benefit under 35 U. S. C. Section 120 of any United States application(s), or 
Section 365(c) of any PCT International application designating the United States, listed below and, 
insofar as the subject matter of each of the claims of this application is not disclosed in the prior 
n United States or PCT International application in the manner provided by the first paragraph of 35 
J U.S.C. Section 112, I acknowledge the duty to disclose to the United States Patent and Trademark 
JE Office all information known to me to be material to patentability as defined in Title 37, C. F. R., 
W Section 1.56 which became available between the filing date of the prior application and the national 
ap or PCT International filing date of this application: 



08/632,845 


April 16, 1996 


Pending 


(Application Serial No.) 


(Filing Date) 


(Status) 




(patented, pending, abandoned) 


(Application Serial No.) 


(Filing Date) 


(Status) 




(patented, pending, abandoned) 



(Application Serial No.) (Filing Date) (Status) 

(patented, pending, abandoned) 



I hereby declare that all statements made herein of my own knowledge are true and that all 
statements made on information and belief are believed to be true; and further that these statements 
were made with the knowledge that willful false statements and the like so made are punishable by 
fine or imprisonment, or both, under Section 1001 of Title 18 of the United States Code and that such 
willful false statements may jeopardize the validity of the application or any patent issued thereon. 



Form PTO-SB-01 (6-95) (Modified) 



Patent and Trademark Office-U.S. DEPARTMENT OF COMMERCE 



Page 3 of 4 



POWER OF ATTORNEY: As a named inventor, I hereby appoint the following attorney(s) and/or 
agent(s) to prosecute this application and transact all business in the Patent and Trademark Office 
connected therewith, (list name and registration number) 
Lawrence A. Maxham 24,483 



Send Correspondence to: Lawrence A. Maxham 

Baker & Maxham 
Symphony towers, 750 'B ! Street 

Suite 3100, San Diego, CA 92101 U.S.A. 

Direct Telephone Calls to: (name and telephone number) 

Lawrence A. Maxham Telephone - (619) 233-9004 Facsimile - (619) 544-1246 



Full name of sole or first inventor 
Ronald C. Mullin 

Sole or first invefito# 



Residence 
533 Twin Oaks Crescent 



Citizenship 
Canadian 



Post Office Address 

Waterloo, Ontario N2L 4R9 Canada 



Full name of second inventor, if any 
Scott A. Vanstone 




Second inventor's signature 



Date 



Residence 

10140 Pineview Trail 



/3 f /??? 



Citizenship 
Canadian 



Post Office Address 
Campbellville, Ontario, Canada 
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Full name of third inventor, if any 
Robert J. Lambert 




Third inventor's signature C~ s7/ ~/y C?~^^£jL^n < Date „ ^ 



Residence 

63 Holm Street 



Citizenship 
Canadian 



Post Office Address 

Cambridge, Ontario N3C 3N3, Canada 



Full name of fourth inventor, if any 
Rob Gallant 



Residence 




Fourth inventor's signature \ ) 1 & I h JUftrfZ? ; J? 3 *® - 



-ft.,,* 



Citizenship 



Post Office Address 



Full name of fifth inventor, if any 



Fifth inventor's signature 



Residence 



Citizenship 



Post Office Address 



Full name of sixth inventor, if any 



Sixth inventor's signature Date 



Residence 



Citizenship 



Post Office Address 
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